I got a letter the other day from AOL postmaster Carl Hutzler, about how the Internet community could get rid of spam, if it really wanted to. With his permission, here are some excerpts.

"Spam is a completely solvable problem. And it does not take finding every Richter, Jaynes, Bridger, etc to do it (although it certainly is part of the solution).

In fact it does not take email identity technologies either (although these are certainly needed and part of the solution).

The solution is getting messaging providers to take responsibility for their lame email systems that they set up without much thought and continue to not care much about when they become overrun by spammers. This is just security and every admin/network operator has to deal with it. We just have a lot of providers not bothering to care.

We need message providers to implement better security on their networks and take responsibility for their networks being sources of spam. The number of ISPs who don't even authenticate their members is frankly appalling (just for starters).

AOL has implemented the solution to stop spam on our system. We do not send it any more. We even published the solution in the ASTA [the Anti-Spam Technical Alliance, a group of the largest ISPs] technical document. We are again trying to get the info to other messaging providers via the MAAWG.org group.

But no one wanted to listen to one ISP. So we had to apply the set of solutions for every other ISP around the planet for them!

1) The port 25 blocking we do for them (via pattern matches on their dynamic space or getting their actual dynamic IP space from them if their regex set-up is not thought out well)

2) Our Second Received Line rate limits which put reasonable controls on the amount of mail an end user can send through their ISPs mail server.

This is why AOL reported our spam is almost eliminated. Yes, I said it, eliminated. I get so little spam on my AOL business account (the one that has 20 pages of google results, countless newsgroup hits, etc). I think I have gotten 10 spams total in my inbox over the last month and many of them go to the spam folder where they should be. Just think how different everyone's spam problem could be if ISPs did a few of these things, and more simply, took responsibility for their customers/networks. Spam would be gone.

But no one else is reporting success like this? Why? Because every other ISP is building better and better filters to help their system fend of the spam. But the sources of spam are still there and spammers can keep sending till their hearts content until we stop them at the source.

Filters and blocklists are band aids.They do nothing to solve the problem.

Messaging Providers taking responsibility when their networks are commandeered to send spam is the solution.

Why do we all keep building better filters? Because it helps us instead of helping others. And its easy as most of these are shrink wrapped software or services that are easy to apply. Good for Postini and Brightmail and spamassasin, but not a solution, just a bandaid. Why do people do this and never try solving the problem? Security for our networks and messaging platforms is much harder to implement, and likely most importantly, it does not help the ISP stop spam inbound to its network usually. So no one does it.

What we need is for providers to do BOTH. You have to implement better filters to survive (we sure do), but we all also have to fix our sources of spam that clog other networks. Eventually as providers do BOTH actions, the problem will go away and everyone will be able to remove the BANDAIDS from the spam wound as we won't need filters and blacklists as much in the future.

A Funny Example

If a spammer had a T1 line provided by [a large network], we all would be up in arms that the network is all of a sudden a blackhat ISP hosting known spammers on the Spamhaus ROKSO list, etc, etc. But the fact that that network and many other ISPs are hosting spammers via trojaned and zombied customers and have no security on their network to prevent this situation or manage it at least, does not seem to bother us (messaging providers) as much as it should. Well shame on us.

If you want less spam, then can we all commit to manage our systems better?"

Carl then went on to comment on a large web hosting company, which will remain nameless both to protect the guilty and because many other web hosts are just as bad.

"They have been spamming the be-jesus out of AOL for months now because they have customers who run insecure formmail and other CGIs. When will these premier hosting companies write a program to find them before the spammers and prevent customers from installing these open relays (cgi scripts) on their network? When will these companies monitor their scomp [AOL's automated spam reporting] complaints and take them off the air without my team having to constantly call them? When will they stop telling their customer service reps to blame AOL for delivery issues their customers are seeing when they can't mail to AOL because we have temporarily blocked them for the 15th time in 2 months?

Should anyone be allowed to operate an email system? Perhaps not. Or perhaps we will find a group of ISPs that band together to create a second email system on top of the current one for email providers that know how to control their networks. And the other people will be on another system, the old one filled with spam."

Everything that Carl says is, largely self-evidently, true. What do we have to do to persuade networks that dealing with their own spam problem, even at significant short term cost, is better for the net and themselves than limping along as we do now?

By John Levine, Author, Consultant & Speaker. More blog posts from John Levine can also be read here.

Comments

I quite agree with Carl. In addition to this, responsible ISP's also scan outgoing mail for viruses (not just incoming), this will reduce the number of machines getting infected and being turned into zombies.

Responsible ISP's will also have terms and conditions in their contracts with clients who want to run their own mail servers that prohibit them from spamming or falsifying mail headers.

Making it Federal law that non compliant spammers are liable to pay one thousand dollars, yes I said 1,000.00 dollars, for each and every illegal spam to their victims along with vigorous law enforcement is a better answer. Of course authentication of addresses is necessary to find and prosecute them too.

I'd like to point out that there are programs that allow people to turn their own PC's into a mail server. This way, anyone can send out their own messages. If all ISP's prevented outgoing spam, believe me, that would not stop spammers.

And this guy works for a major ISP… but then again it is AOL, so why would I have expected him to know what he was saying?

I think AOL is just totally wrong on several accounts. Far from being ineffective band-aids, the Bayesian filter has quickly become the single most effective anti-spam tool ever invented. It's my primary anti-spam tool, and it works so well that I don't really need anything else.

Much worse, AOL (like other ISPs that cater to the lowest common denominator) don't seem to shy away from heavy-handed anti-spam tactics, like blocking port 25, that cause lots of collateral damage. They presume most everyone to be guilty of spamming, and couldn't care less even if you can prove your innocence.

There's a communication gap here. Carl's talking about something that can be done on the server side. While bayesian makes an excellent antispam solution on a client machine, for one person, it is not as useful for server side filtering because of various issues (useful only when trained on a per user basis, rather than as a systemwide filter, takes up a disproportionate amount of CPU cycles, far more than it is worth when there are far less expensive and typically more effective ways to reject spam at the gateway). Further, by the time spam reaches your mailbox and you do bayesian (or whatever else) to filter it out - it has been accepted, it has been delivered, bandwidth, CPU cycles and disk space have been wasted on it - so money has been spent receiving it. A single spam costs a fraction of a cent to receive, store and process - but when you run a network for millions of users, and you get billions of spams thrown at your network every day, the numbers kind of add up. Bayesian is about as useful as udders on a bull for server side filtering on this scale, at this level.

and Phil signs off with -

> Fortunately, AOL isn't the whole Internet

Unfortunately, I would say.

James Seng - Port 25 blocking does help to an extent in that it forces all the spam coming out a network to get funneled through a comparatively narrow outlet - the ISP's own outbound mailservers. When the ISPs who implemented port 25 filters on their dynamic IP pools then implement filtering on their outbound mailservers, that tends to choke the spam flow off. AOL is right that they're doing stuff at their end to mitigate the effects of what ISPs should be doing on their network, but are not.

Tom Minchin - [about AOL not doing port 25 blocks] .. They do port 25 redirects so that mail sent direct from port 25 on their dialups gets routed out a separate set of outbounds from the rest of their traffic. However as they have huge amounts of dialup space (that includes /10, /12 and /14 netblocks) a newly provisioned dialup pool may start off for a while without filters on it, or spammers might find other ways (like using spoofed source addresses, that'd be defeated by increasing adoption of RFC2827 / uRPF / ingress and egress filtering). In the meantime, http://postmaster.info.aol.com/servers/ lists AOL's dialup pool, and this is contributed to dynamic IP blocklists like SORBS DUHL (freely avaialable) and MAPS DUL (which was once free, some years back but I believe it still gets widely used by large ISPs and corporations)

Carl definitely nailed part of the problem. However, he misses another part - that of rogue ISPs hosting spammers.

I speak of groups like Glowing Edge (sample found at http://www.spamhaus.org/rokso/evidence.lasso?rokso_id=ROK3908 ), who, as of last year, was hosted on an ISP who was quite unwilling to drop them, despite repeated reports of abuse from myself and others (it appears they may have finally dropped GE from their customer base - I wonder how long it took...).

According to an employee at this ISP's abuse dept. (whom I actually spoke with over the phone), they don't drop customers unless they receive X number of complaints from *unique* addresses. That's right - if you're spammed 20 times over the course of a month by the same user, and you complain to their host each time, you're counted as one complaint.

Nice trick to say you're working on keeping the 'net spam-free, while still accepting money from the spammers as long as you can get away with it.

Half the problem are open relays or proxies - the other half are the abusive ISPs who continue to make money off spammers.

My thoughts on abusive networks such as this are simple: null route them. If they want to host spammers, fine. They can continue to do so on their own network - literally.

Initial note to put some of my posts in this thread in context: I don't work for Carl or for AOL .. but I do work for a large webmail ISP with 40 million users and I can see where he's right on the money about this issue.

Bayesian will most definitely NOT help here at the server level.

Dismissing AOL as clueless like another poster in this thread did wont help here either [they're staffed by clued people, for all the reputation that AOL users have on mailing lists and on usenet].

reply to michael khayat [about ISPs hosting spammers]

carl did point out that it is a known problem and one that's being dealt with too.

he's highlighting the other side of the problem - extensive spam from webhosts and ISPs who do have a good reputation wrt spam, but whose filtering doesn't quite cut it when it comes to stopping outbound spam, however hot shot it might be when stopping spam inbound to its users.

I can easily block a ROKSO / SBL listed spammer - and in fact we do use SBL to filter email that is sent to our users.

It is a much harder decision for me to block [to pick a random example] Comcast or Verio - and it is a decision that I would reject in favor of working with these guys rather than blocking them outright.

As he says --

---------
If a spammer had a T1 line provided by [a large network], we all would be up in arms that the network is all of a sudden a blackhat ISP hosting known spammers on the Spamhaus ROKSO list, etc, etc. But the fact that that network and many other ISPs are hosting spammers via trojaned and zombied customers and have no security on their network to prevent this situation or manage it at least, does not seem to bother us (messaging providers) as much as it should. Well shame on us.
-----------------

I, myself have run a mail server for a major corporation, although I currently play the role of sysadmin at a large east coast (US) university - and yes, this includes running a mail server.

I am also a subscriber for one of the aforementioned ISPs, and run a (personal) mail server off of that connection - technically, against the agreement with my ISP, but I've been doing it for years, and they haven't had a problem with it - yet.

As you might be able to tell, I'd be less than elated if my ISP were to suddenly block port 25. Yes, I realize it's technically against my agreement with the ISP to run a server. However, advocating punishment for those who run legitimate servers (which I consider mine to be, of course) as a way of stemming the flow of spam through compromised machines is a bit much.

Part of the solution is to have a dedicated abuse department which is proportionate in size to your customer base. Having only a few people who only work on abuse part-time to maintain a nationwide customer base doesn't cut it. Another part is to use services like SenderBase - some broadband subscribers are sending more mail than many large mail servers (and no, I'm not one of them - I checked :) ), and this seems to help weed out the larger abusers. Yet another part is, of course, to have an abuse department which actually follows up on abuse complaints, as well as a policy which sees compromised systems with unresponsive owners disconnected from the network.

Suresh, I realize that Carl touched on the hosting issue. My point, however, was that it IS a big problem, and one that's related to the issue at hand. The SBL is most definitely useful as a filter - but for ISPs to merely allow their netblocks to be added to lists like the SBL, and then do nothing about removing the abusive customer - this is implicit support of spammers, and any network having a history of such abuse should be disconnected from the larger Internet.

jamesandshari - More regulation by law enforcement is not the answer, here. As it is, they're streched pretty thin, and different laws in different countries make this unworkable on a global network. There are other ways of dealing with this problem that don't involve the creation of new, largely ineffective laws like CAN-SPAM.

I am also a subscriber for one of the aforementioned ISPs, and run a (personal) mail server off of that connection - technically, against the agreement with my ISP, but I've been doing it for years, and they haven't had a problem with it - yet.

As you might be able to tell, I'd be less than elated if my ISP were to suddenly block port 25. Yes, I realize it's technically against my agreement with the ISP to run a server. However, advocating punishment for those who run legitimate servers (which I consider mine to be, of course) as a way of stemming the flow of spam through compromised machines is a bit much.

But is is NOT a legitimate server. You have a contract for services, and you are in violation of that contract. You have no right to do that just because your ISP doesn't forccibly prevent it, and if they change how their network operates so that you are no longer able to break your agreement with them, what grounds do you have for being upset?

Note that in most places where it is possible to buy anything more than an intermittent dialup line, it is also possible to buy service under terms that do not forbid running servers. There's a very good chance that your current ISP offers such service. You've found a way to pay for one level of service and break your contract to get a level of service that honest people pay more for. I don't see how that can be a meaningful argument against port 25 blocking, but I can see it as a strong economic argument for port 25 blocking without any reference at all to spam.

--- Bill Cole ---
But is is NOT a legitimate server. You have a contract for services, and you are in violation of that contract. You have no right to do that just because your ISP doesn't forccibly prevent it, and if they change how their network operates so that you are no longer able to break your agreement with them, what grounds do you have for being upset?
----------------------------

Bill, I agree with you here - I really DON'T have much right to complain if my ISP blocks port 25. In fact, I'd probably just move to another ISP if this were to happen.

--- Bill Cole ---
Note that in most places where it is possible to buy anything more than an intermittent dialup line, it is also possible to buy service under terms that do not forbid running servers. There's a very good chance that your current ISP offers such service. You've found a way to pay for one level of service and break your contract to get a level of service that honest people pay more for. I don't see how that can be a meaningful argument against port 25 blocking, but I can see it as a strong economic argument for port 25 blocking without any reference at all to spam.
----------------------------

I'm reasonably certain that my ISP doesn't offer that level of service - in fact, the last time I looked, the only other level offered was business accounts, and THOSE didn't allow you to run a server either.
There's also the question of: why should I pay more for the same internet connection when I don't receive any direct economic benefit from running my server? Perhaps I'll have some sort of uptime guarantee - but I'm happy enough with my uptime now. As long as my ISP doesn't take issue with my running a mail server (again, after several years, they haven't), why pay more for something which doesn't make me any money?

In any case, we're drifting off the core discussion. My argument was against punishing all users bcause some users run compromised computers.

It used to be that an ISP would hold it's users responsible for their actions. The same goes for the computer(s) used by these users - if a system is compromised, and it's owner is unresponsive, then the ISP merely needs to disconnect the user from it's network.

This will, of course, generate more support calls than usual. I can understand why this is bad from a business perspective - but at the same time, merely ignoring compromised computers (or, possibly worse, implementing a blanket solution which affects EVERYONE) has it's own cost.

As a slightly preposterous illustration of this 'fix', imagine a worm/trojan/virus (or, better yet - multiple worms/trojans/viruses/other malware) which causes it's host to hit www.microsoft.com on port 80. Should the affected ISPs block all traffic to port 80 on www.microsoft.com (or just to port 80 altogether?). Imagine the fun that would ensue…

Going back to a more real-world example for SMTP, however…

Many places (universities come immediately to mind, as I am employed by one) offer email services which are reachable from outside their networks. This often includes SMTP servers (which often require some sort of authentication to relay). Users may already be set up to use these mail services - perhaps from a laptop. How do you expect the ISP to handle legitimate use of outside mail services like this?

To make a long story short: blanket filtering is not necessarily the way to go. Handling abusive users/computers/etc. *is*. This means cooperation, from the ISPs who host spammers to the ISPs who host compromised end-user computers. That is the ONLY way the mess that is email will be fixed.

Michael - I realize that what you are saying is ideal, but with all due respect, running a university network or a large corporation is still a far cry from trying to drink at the firehose of large ISP abuse handling. Doing it manually the way you suggest just wont scale .. you're talking about something like hundreds of thousands of zombied / trojaned PCs that need [cheaper] router level blocks + [costlier] automated detection mechanisms to contain them.

You'll find quite a few presentations on this if you trawl through past nanog mtg archives I guess .. but anyway, believe me, trying to get staffing to handle all that abuse without the backup of sufficient filtering and automated detection / mitigation is just not going to scale.

These are not real time - they are an old set of stats that are, however, reasonably average for the sort of email traffic that we get (modulo sudden massive spikes when the next big spam sending virus comes down the turnpike]

So - if you want to operate your own mailserver on a broadband line I'd suggest setting your mail to smarthost out through your ISP's mailservers. http://www.hserus.net/exim.html (and sendmail.html, qmail.html, postfix.html as well on that site) are howtos that I wrote that seem to be reasonably popular - shows that lots of people are taking this way out to run a mailserver and still work around port 25 blocks.

The other (and far better) alternative is to get a personal colo - that's far cheaper if you dont need business grade five nines type stuff. I'd suggest a visit to the "Personal Colo Registry" at Paul Vixie's site http://www.vix.com that shows where you [or maybe a group of your friends who are also clued, and also in the same situation wrt servers on home broadband lines] could rent a server for a month, for about what it costs to buy a good steak dinner…

[damn, i just wish circleid had threaded posting like livejournal has]

--------------
Going back to a more real-world example for SMTP, however…

[description of smtp auth relay from offcampus]
----------------

Yes - and port 587 (the MSA / Submit port) is a real world solution to that real world example - moreover, one that has been around for years now… set your smtp auth relay server up to listen on port 587 with auth + certificates + whatever else and you're good to go

[and mind that you filter it heavily for spam and viruses or you'll find this smtp auth being hijacked out of infected PC's outlook express settings ... ]

I agree that just blocking or redirecting outgoing port 25 and ignoring compromissed machines isn't all the ISP should do. But if they do block 25, then the ISP doesn't have to spend as much resources on having to analyse abuse complaints e-mailed to them, often by users who don't know how to send full uncorupted headers. This freed up resource can then be put to use actually identifying machines that are compromised (e.g. trying to connect out on port 25 all the time, doing port scans etc.).
Some ISP's such as Comcast are only selectively blocking port 25, and that has certainly reduced the number of spam e-mails to I receive from their network, but this still allows for a gap of time from when the machine is compromised until it is blocked.
To keep their clients happy, yes ISPs should warn them ahead of time what they intend to do, and possibly also allow users that have requirements to run a mail server to do so, but that these users have in their contracts what obligations they have to ensure that it isn't being used to spam.

There's also the question of: why should I pay more for the same internet connection when I don't receive any direct economic benefit from running my server?

That's a more complex question than it may seem. There are many answers.

1. Maybe YOU shouldn't, but the market will pay a premium for the permission to run servers. Whether that permission has monetary value to YOU or not isn't even the full answer to whether you should pay extra for it. There is more to value in economics than direct monetary benefit. That's how capitalism manages to work: people trade non-cash goods and services for cash.

2. An ISP's business model is aggregating usage patterns that the ISP can predict for many users and working out ways to sell services of different sorts to get the right mix of different usages to be able to aggregate them all into the most economical ways to buy big bandwidth. For example, I did some work with a small ISP in then mid-90's where they had a very good model of what sorts of accounts used bandwidth in which ways. They would adjust pricing of different services to maximize their overall external capacity utilization and to balance upstream/downstream flow so that they didn't ever have a lot of spare (i.e. unsold) bandwidth in either direction. A user who runs his own servers is very likely to be an outlier in usage of upstream external bandwidth compared to the normal consumer account, and that may mean less capacity available to sell to another sort of client (e.g. a web hosting account) In short: whether it is a tangible benefit to you or not, there may be a tangible added cost to the provider to service your needs.

3. ISP's are finally seeing support, security, and abuse handling as areas that make up a significant and controllable element of their costs. Enforcing port restrictions on links that are run under service terms that forbid the associated uses can cut into how much variable cost comes from that class of account. If an ISP blocks traffic to off-network port 25 from all of their consumer accounts that are contractually committed to run no servers, they eliminate work for their abuse desk from compromised machines, support costs because their users' machines will cease to be of interest to the zombie-herders, and background noise for their security efforts to contend with. The people on filtered links will cost them less to service than those on unfiltered links.

And further…

In any case, we're drifting off the core discussion. My argument was against punishing all users bcause some users run compromised computers.

For most ISP's, blocking port 25 for their consumer-grade accounts is not a punishment in any way for anyone who is not in breach of the service contract. For most customers, who mostly follow the service agreements they have made without even thinking about the detail of running a server or not, the only effect is positive: they become less attractive as targets for compromise.

This IS part of the core issue: ISP's who only try to deal with spam ingress are not doing anything for the net as a whole, and can do more for their own costs and for their own non-abusive users by taking active steps to stop the spam flowing out of their networks. That means that they need to crack down on the users who are knowingly spamming and on those who are actively breaching their contracts by running servers. The former need to be gone and the latter need at least to be identified for special-casing, probably should be segregated to specific subnets, and maybe should be vetted for competence and/or charged extra for the more abuse-prone service class.

And yes, it would be better if ISP's could afford to sell only unrestricted access and provide abuse desks the necessary resources to do their jobs very well. Having spent a year fruitlessly trying to sell really good abuse desk servies to ISP's at the peak of the boom, I am completely convinced that ISP's cannot afford to sell unfettered service at the price points set by years of money-sink dotbombs while funding the necessary abuse desks to deal with the abuse that yields and still be profitable and competitive. The poor job done by all major consumer ISP's except AOL in abuse handling tends to support that.

I agree as do many security folks that I have heard from as to doing BOTH as Carl supggests. Also think Phil Karn's direction is also useful in eliminating the emptis for spam. What botheres me is that allot of the spam/UCE I get is from AOL, Yahoo, Hotmail and a number of ccTLD based ISP's… So it appears to me that postmasters are not getting the input into addressing spam/UCE with network administrators as they should or could…

To Jeffrey Williams -
<<"Be precise in the use of words and expect precision from others" -
Pierre Abelard>>

Now, I'll ask a rather precise question. "A lot of the spam you get is from AOL, Yahoo etc". Is that "from yahoo / AOL's servers, and/or from accounts that actually exist on yahoo / aol" or "email from an address that has some random string @yahoo.com forged into the from"?

Work is being done at various levels to find technical means to get rid of forged spam, but that is going to be tough. But till then 99% of the spam you get that claims to be from these providers will be forged spam for which you can't blame AOL or Yahoo as the spam did not originate either from their servers or their users.

A comparatively small fraction of spam does come direct from aol / yahoo etc - in which case you report spam to their abuse desk - possibly using http://www.spamcop.net which tends to do a better job at reading email headers than most people do.

It's not just people who run their own servers that have a use for port 25; there are also people who use an e-mail provider other than their own ISPs, like for instance one associated with their Web hosting provider. Not everybody wants to lock themselves into their current ISP's provided e-mail address, which they'll have to change if they ever change ISPs; some want to use mailboxes in their own personal domains.

Daniel, unless your ISP validates the From and/or Sender address on outgoing e-mail (which most ISP's don't do as yet), you can quite happily point your SMTP (port 25) to your internet provider, while pointing your POP (port 110) to your web hosting provider. In fact that is the exact configuration I'm currently running and it works fine.

Here is another approach to stopping spammers.
Project Honeypot targets those that use e-mail harvesters to get e-mail addresses from your web pages.
I've signed up and added a honeypot to my web site.
You can learn more and sign up for free by visiting:

Mr. Hutzler makes several good points, and his basic premise is correct: ISPs *MUST* accept responsibility for what exits their network, and they *MUST* do everything within their ability to manage what exits their network. Unfortunately, he is also wrong on several points, and he makes a few arguments that simply do not follow.

Mr. Hutzler: Filters and blocklists are band aids. They do nothing to solve the problem.
Rebuttal: Yes, they do. The spam problem exists for two reasons that are dependent upon each other: 1) Sending spam is profitable; 2) It is still reasonably easy to find an open relay/open proxy/zombie host/open access point/some other exploit that allows spammers to send UCE without being caught. *ANYTHING* that ISPs do to raise the cost of spam helps to solve the problem. Proof that filters and blocklists work is that spammers have been forced to find ways around them. From a recent Nanog post by Rich Kulawiec:
"Here's a question of my own: why do you think spammers created zombies?...They did it because the blacklists were starting to work. The aggregate effect of all those DNSBLs in use by all those people was finally starting to put a dent in their delivery rates....if you watch what the spammers do to evade pain, then you can figure out what's hurting them. And whatever *that* turns out to be, we should be all over it as much as we can, as fast as we can, because the spammers are _telling us_ that it's working."

Mr. Hutzler: But no one else is reporting success like this? Why? Because every other ISP is building better and better filters to help their system fend of the spam.
Rebuttal: But this is exactly what you just described: rate limits on e-mail inbound to AOL and blocking port 25 on dynamic or known abusive networks. You built a better filter. AOL can get away with agressive filtering, because just about every other ISP will jump through hoops to stay on AOL's good side. On the other hand, if I were to implement the same filtering scheme, all I would do is cut off e-mail to my users because the big dogs like AOL couldn't care less if a small ISP up in Alaska is blocking them, because the population of AOL users who receive e-mail from my customers is too small.

Mr. Hutzler: When will they stop telling their customer service reps to blame AOL for delivery issues their customers are seeing when they can't mail to AOL because we have temporarily blocked them for the 15th time in 2 months?
Rebuttal: My only problem with this is that, as far as I can tell, there is absolutely *NO* oversight on AOL's spam reporting. From the number of e-mails that I process through AOL's scomp, a large percentage of AOL's users who report spam don't know the difference between AOL's "report as spam" and "delete" buttons. AOL has successfully offloaded the cost of processing abuse complaints to the ISPs that send e-mail to them. In the case of actual spam, this is legitimate--if UCE came from my network,then it is my responsibility to work and resolve the problem. However, when a significant portion of the complaints I receive are *CLEARLY* correspondence between family members or friends, then something is broken with AOL's UCE reporting. It greatly annoys me and my co-abuse admins at work to have to read through all of the scomp complaints to weed out the legitimate correspondence, knowing that each of those *legitimate* e-mails is pushing us closer to the point where AOL's automatic filters blacklist us, and that there is *NO* recourse to AOL for the bogus reports (I've tried...).

Mr. Hutzler: Should anyone be allowed to operate an email system? Perhaps not.
Rebuttal: Even if other ISPs were not allowed to operate an e-mail system, that still wouldn't solve the problem of the zombie hosts...unless you were to operate your mail farm in such a way that it rejected everybody except for a few other hosts that were on your whitelist, and I don't think even AOL could get away with that.

Personaly I believe that blocking the port 25 would be a great step in teh fight against spam.
Before You jump to the flame-trower, let me explain:

1) There's no reason for a user to use his machine directly as a SMTP server. It is always possible (and more sensible) to relay trough the ISP's SMTP.
2) I believe the OUTGOING traffic trough port 25 should be blocked, but not the incoming. All in all, SPAM is made of outgoing email.

So, how would it works?

1) You set up a mail server.
2) It will relay your email trough the ISP's SMTP. The ISP must allow You to send an email with your domain (you@foo.bar). The only requirement is that Your domain (foo.bar) must have an DNS MX record pointing yours ISP MX as oficial for your domain.
3) Incoming traffic trough port 25 is allowed. After all, You must be able to get your messages!

If the ISP's SMTP is authenticated turns out to be quite easy to find the abusers (the logs, I love the logs), since the only way out would be trough ISP's SMTP.

I can't even beleive some of these comments i read. Blocking port 25, what for? waste time?

This is just another bandaid. Spammers do what they do and always find ways around. I host many domains for freinds and a mail server. Many of them use aol, earthlink etc.. which block port 25. They dont want to use their isp's mail server, they want to use mine. So easy fix. Opened another port. Whats stopping spammers from doing this same thing? Nothing!!

So whats the next fix after spammers STOP using port 25? Block the next port? than the next? how about the next? Oh wait, why dont we just block every UDP/TCP port? Problem cured.

Here's the Truth. You watch TV you see commecials right? You listen to the radio you hear commercials right? You open up your snail mailbox and find advertisements right. I especially hate the unsolicited CD's I get from Aol. My point is everywhere there's "spam". The internet is free and should stay free. I run my own mail server on a dynamic IP address. I have a legit domain name and spf record but I can't send e-mail to AOL because of my dynamic ip address. Which doesn't really bother me since I don't really have any contacts that still use AOL. My point is I choose to make a name for myself and I can't afford all the high priced bandwidth deals that ISP's charge for people that want to run servers. I guess to cut it short is Those who have the money make the rules.

Every network has (or will have) a spam problem. Taking responsibility for the problem is what many networks try to avoid.

AOL is not one that is hiding - they are trying to fixing their problems.

AOL currently does have unaddressed spam problems - mostly from their legacy netscape base, but also more recently from various dynamic address space which was not declared dynamic by them, and not filtered as well as it should have been.

Filters and blackhole lists are indeed bandages, but when you have a huge gaping hole in your side and are bleeding to death, you are indeed greatful for bandages.

AOL has changed a lot from "the bad old days", where they were the #1 spam source for a long time. I continue to be impressed with what they are doing to reduce the amount of spam leaving their network.

So thank you goes out to Carl, John and the rest - the problem does lie with the sender, and the ISPs absolutely do need to continue to work to become responsible for the activities of their customers.

I can't agree with Tonez who compares spam with any other form of publicity, because the cost of publicity is paid by the company that benefits of it. If weíre talking about spam, the big cost is not made by the sender of spam, but paid by the receiver. It costs time, bandwidth, storage and so on… But even more important, spam endangers mail as a way of communication.

Myself Iím from Europe (thatís why my English is far from perfectÖ), and at this moment Iím working in a large hospital where we are also have to deal with lots of spam. Most of the spam we receive is in English. To bad we have also legitimate English email, else I could simple block all English mail and the problem would be solved.

If we have a look at Spamhaus statistics (http://www.spamhaus.org/statistics.lasso) we can see in their ďTop10 worst spam countriesĒ, that only 1 European country is listed (United Kingdom is placed 10th).

Is this surprising? I donít think so, Europe has a totally different approach to spam. Here itís illegal to send someone a message if you donít have the permission of that person, in the US itís notÖ That means that lotís of the spam we receive is legal in the US but is violating the European law, but I donít think that there are lots spammer will check where their victims liveÖ

And thatís what make spam really a threat to mail in general. If over a period of one year every company in the US will send me email thatís conform with the can-spam act (so the supply an unsubscribe link), how will I be able to find my legitimate mail in my inbox??? And should I open every mail so I can unsubscribe or else the can send me more mail??? Impossible if you ask me.

Of course thereís also a lot of spam not confirm to the can-spam act, but if itís clearer whatís legal and whatís not, it will be lots easier to sue any spammer.

Will spam be stopped if all ISPs would take their responsibility? I donít think so, it probably would help a lot but spammers have already found to many ways to get their spam send trough the Wild Wild Web, that itís not possible to stop it all.

What really would stop spam, thatís when spam isnít profitable anymore. The only reason people spam is money (ok there are some exceptions, but those are rare). They know that people still buy their products, and because of their low cost if only a few of the hundreds of thousands of people buy the product itís enough for them.

So as long as people donít stop buying from spam, spam will exist and the only thing we can do is block and filterÖ And thatís what weíre trying to do in our hospital. Block as much spam as possible at the gateway (more than half of all mail), and filter out the rest for people that still receive several spammails a day with a Open Source plugin for Outlook that does Bayesian filtering (spambayes). Itís far from ideal, but we can live with that. Our mail system is not in danger anymore, and our users donít have to spend a lot of time on spamÖ

The biggest problem so far is that the cure has been worse than the disease. Programs like sorbs.net block or flag legitimate domain names because some spammer was on the same IP block. The owner of the legitimate domains had nothing to do with the spam nor did they choose the IP block they were placed on, but they suffer the penalty because of self-appointed self-righteous anti-spam gurus.

Then sorbs.net wants you to pay money to have your legitimate domain name removed from the list.

They claim the money is a "fine" and goes to a "charity".

A. They have no authority to fine anyone.

B. The so-called charity is a legal defense fund that defends people who claim to be anti-spam warriors and take it upon themselves to clean up the system.